PingDirectory

Configuring PingDirectory to use an OIDC identity provider

To configure PingDirectory to use a non-PingFederate OpenID Connect (OIDC) provider as the identity provider for Delegated Admin, you must do the following:

  1. Add any new attributes to be mapped from the OIDC provider to the PingDirectory schema and the appropriate user entries.

  2. Create an identity mapper that maps OIDC users to PingDirectory entries.

  3. Create an access token validator that uses the identity mapper to match claims in the access token to PingDirectory entry attributes. Learn more in Handling signed tokens.

The following steps provide a sample configuration for completing these tasks. The configuration assumes that:

  • You create an externalIDPID attribute in the PingDirectory schema and add it to user entries.

    • The attribute contains the unique ID for the PingDirectory user in the OIDC provider.

  • The OIDC provider generates a JSON Web Token (JWT) with a sub claim.

  • The sub claim gets mapped to the externalIDPID attribute in the PingDirectory user entry.

Update any values to match your environment and OIDC provider configuration.

Steps

  1. Import the following LDIF file to create an auxiliary object class named externalIDPUser with the externalIDPID attribute:

    objectClass: top
objectClass: ldapSubentry
objectClass: subschema
cn: schema
attributeTypes: ( externalIDPID-OID NAME 'externalIDPID' USAGE userApplications X-SCHEMA-FILE '99-user.ldif' )
objectClasses: ( externalIDPUser-OID NAME 'externalIDPUser' AUXILIARY MUST externalIDPID X-SCHEMA-FILE '99-user.ldif' )

  2. Add the externalIDPUser object class and externalIDPID attribute to any Delegated Admin user entries. The attribute value should be the ID of the user on the OIDC provider.

    bin/ldapmodify <<+
dn: uid=externalIDPUser,ou=People,dc=example,dc=com
changetype: modify
add: objectClass
objectClass: externalIDPUser
-
add: externalIDPID
externalIDPID: 078ec98d-9dc2-4cc3-9a7e-db0e65d75fe6
+

  3. Create an identity mapper that matches users based on the externalIDPID attribute:

    dsconfig create-identity-mapper \
  --mapper-name "External IDP User Mapper" \
  --type exact-match \
  --set "description:Used to match the identifier to the externalIDPID attribute" \
  --set enabled:true \
  --set match-attribute:externalIDPID

  4. Create an HTTP external server for the OIDC provider. Replace <OIDC-authority-URL> with the base URL of the OIDC client’s Discovery endpoint.

    dsconfig create-external-server \
  --server-name "External IDP HTTP Server" \
  --type http \
  --set base-url:<OIDC-authority-URL>

  5. Create a JWT access token validator using the identity mapper and external server created in the previous steps. Replace <IdP-JWKS-endpoint> with the URL of the JSON Web Key Set (JWKS) endpoint for the OIDC client.

    dsconfig create-access-token-validator \
  --validator-name "External IDP Access Token Validator" \
  --type jwt \
  --set "identity-mapper:External IDP User Mapper" \
  --set enabled:true \
  --set "authorization-server:External IDP HTTP Server" \
  --set jwks-endpoint-path:<IdP-JWKS-endpoint>